In general, a network is a group of two or more electronic systems linked by a wired or wireless transmission medium to transmit data, commonly referred to as a data packet or a packet, from a source electronic system to a destination electronic system. Data packets are transmitted based on a set of rules, commonly referred to as a protocol, that are used by the source and the destination during a communication session. Examples of networks include a personal area network, a local area network, a metropolitan area network and a wide area network, such as the Internet. Examples of electronic systems include a personal computer, a personal digital assistant (PDA), a laptop or palmtop computer, a cellular phone, a computer system, a network access device, and a television set-top box.
A data packet may travel through one or more intermediate electronic systems, commonly referred to as network devices, during transmission from a source to a destination. Examples of network devices include, but are not limited to, a switch, a router or a bridge. In general, a network device is a packet-forwarding device that receives a data packet and determines an electronic system (either another network device or a destination) to which to forward the data packet.
An unauthorized user may attempt to access a network. Unauthorized access of a network is commonly referred to as network intrusion. A network intruder may attempt to inhibit the ability of authorized users to access the network, or attempt to prevent the use of a service on the network, for example, electronic mail (or e-mail). Such an attack on a network is commonly referred to as a denial-of-service (DoS) attack.
One technique for implementing a DoS attack is to send a large amount of data to a service that is unable to handle the data and thus begins dropping data. For example, a network intruder may transmit a large number of requests to connect to an e-mail server that is unable keep up with the connection requests. As a result, the e-mail server may start dropping connection requests, including legitimate requests, thereby inhibiting authorized users' access to e-mail service.
A network intrusion detection system (NIDS) is a system used to determine whether a network is under attack. Typically, a NIDS examines packets entering a network to determine whether an unauthorized user is attempting to access the network. For example, a NIDS may determine whether there are a large number of connection request packets, which may indicate an attempted DoS attack. A NIDS may run either at a destination, where the destination's incoming traffic is examined, or on a network device between a source and a destination, in which case all network traffic is examined.
One type of NIDS is a signature-based NIDS, where the NIDS determines whether a packet includes a particular string of data that associates the packet with a network attack. Because the signature-based approach is based on data in the packet, only known attacks, i.e., attacks where a particular string of data is known to be associated with particular network attack, may be addressed. In addition, a signature-based NIDS examines an intrusive packet's data after the packet reaches an application that provides a service, which means that the attack is successful. Consequently, the goal of a signature-based approach is to prevent future attacks from being successful.
Another type of NIDS is an anomaly-based NIDS, in which network behavior is predicted and modeled, and certain behavior is identified as abnormal. An anomaly-based approach may be based on known protocol behavior, rather than on packet data known to be associated with a network attack. Consequently, an anomaly-based NIDS can address unknown, as well as known, attacks. In addition, an anomaly-based NIDS can prevent an attack before an intrusive packet reaches an application that provides a service. An anomaly-based NIDS is difficult to implement because of the difficulty in predicting and modeling network behavior and identifying abnormal behavior.
A conventional NIDS is susceptible to an attack in which packets are transmitted at high rates of speed, sometimes referred to as a saturation attack. A conventional NIDS examines the packets of each flow. In general, a flow is a stream of packets transmitted between a source and a destination during a communication session. If packets are transmitted faster than the NIDS is able to examine them, the NIDS may start dropping packets or even completely shut down. A conventional NIDS is not able to throttle flow examination, i.e., examine the packets of fewer than all flows, which would reduce the likelihood of a successful saturation attack.